Infosec heavyweights are uniting to oppose US government proposals to tighten up export controls against software exploits, a move critics argue threatens to imperil mainstream security research and information sharing.
The proposed regulation, based on the Wassenaar Arrangement of 1996 and not originally intended to include cybersecurity, aims to stop companies selling "intrusion software" ( i.e. software that allows hackers to break into networks).
The Coalition for Responsible Cybersecurity, including the likes of Symantec and FireEye, argues that the vagueness of the language covered by the proposals would snag legitimate research and technology, ultimately making it impossible for companies to stay ahead of hackers.
If adopted, the draft proposals would harm US cybersecurity firms' ability to compete in the global market, the coalition says.
The network surveillance controls included in the rule could hinder effective development of perimeter security technologies. Inclusion of features and functionality, such as network monitoring and pre-programmed actions, including for example IP blocking, may require a licence if sold outside the US and Canada.
Many countries with advanced cybersecurity industries – from Israel, Brazil, and Singapore to Russia and China – are not subject to these restrictions. Cybersecurity research will be curtailed, since the rule proposed would hinder researchers from testing networks and sharing technical information about new vulnerabilities across borders.
The Coalition plans to lobby the US government about the risks created by the proposed regulation. The basic argument is that rules intended to control weapons' exploits would be misapplied to the arena of software exploits and vulnerability research.
Ron Bushar, global director for security program services at Mandiant, a FireEye company, explained:
“The rule treats these tools as though they were weapons, but in fact they are absolutely essential for every company and government that has been targeted by attackers. Every time cybersecurity professionals are asked to do defensive testing for a business – even a U.S. business with operations in Europe or South America – they would need a license.
"The process involved in acquiring these unnecessary government licenses would delay cybersecurity protections for months, ensuring that U.S. cybersecurity defenses will always lag far behind the hackers.”
Cybersecurity information sharing, long a priority for the Obama administration, would also suffer, according to the security firms.
“More than 70 per cent of our cybersecurity researchers are from outside the United States but we will be barred from using their expertise,” said Jay Kaplan, chief exec of Synack and former NSA analyst.
"This regulation could require our researchers in the United States to get a government license just to have more than a superficial conversation about new security vulnerabilities.”
The changes are ostensibly geared towards preventing repressive regimes around the world from buying sophisticated software that can be used to spy on political opponents and others.
The export control rules will do nothing to stop the spread of malware or curtail illicit hacking and intrusions in any way, according to firms who have signed up to the coalition. In fact, the regulations would hinder research and the development of effective tools to combat attackers.
Synack’s Kaplan added:
“All the rule will do is prevent US companies with an international business from having good cybersecurity and stop US cybersecurity companies from competing. We will be more at risk and less competitive as a nation if the Commerce Department limits U.S. cybersecurity activities."
Implementation of this rule as it stands would "significantly weaken the technology, processes, and tools industry uses to maintain state of the art defenses against intrusions, and all other hacking activities".
The rule will put the US and the world at greater risk from hackers – exactly the opposite of what it seeks to accomplish, according to industry critics.
Adam Ghetti, CTO of Ionic Security, another member of the coalition, concluded:
“This proposed rule is unacceptably restrictive and ambiguous, and it applies to an industry that has not been targeted in this way by export controls before. We would encourage the Department to reconsider in light of the negative consequences, however unintended, that would result from implementation of its current proposal.”
The Coalition - whose goal is to prevent the Commerce Department from adopting proposed export control regulations - plans to file detailed comments with the Commerce Department. It better gets its skates on.
The window for comment on the draft rules to the Commerce Department is due to close on 20 July.®